Add secure context criteria to pointerrawupdate and getCoalescedEvents#318
Conversation
|
@domenic for the |
|
You also need to update whatever normative text fires a pointerrawupdate event to have it not do so when an appropiate global is not a secure context. Just hiding the event handler attribute wouldn't stop that spec text from executing and causing |
|
It appears the section to update is https://w3c.github.io/pointerevents/#the-pointerrawupdate-event |
|
Does this look good? |
domenic
left a comment
There was a problem hiding this comment.
Seems reasonable, although the phrasing is a bit awkward. But within the existing structure of that section it should work.
|
I couldn't find tests for this, at least for the pointerrawupdate. And I'm not sure https://wpt.fyi/results/pointerevents/idlharness.window.html?label=master&label=experimental&aligned&view=subtest&q=idlharness gets run in https contexts. The link in the page leads to http site. Implementations seem to expose getCoalescedEvents on non-secure contexts too |
|
Finally adding a test for this. Need to move quite a few tests to be loaded from .https and then have some tests for non-https to ensure the features aren't exposed. |
|
Thanks @smaug---- for fixing a bunch of WPTs around this. This calls for new WPTs to be included in the Interop 2024 proposal (web-platform-tests/interop#472). Please consider voting for some of the WPTs you updated here (and maybe other WPTs too). |
@NavidZ This does not stop any attacks.
This just limits fingerprinting to I hate to see these artificial limitations. Another example is limiting hash functions to secure contexts only. In those scenarios people just import a third party library, which is error prone and only adds technical debt because of this poor decision. A better fix would be a permission prompt-based system (see: screen capture on Wayland), regardless if the website uses encryption or not (and we all know that encryption != authenticity, right? RIGHT?). |
|
@szmarczak this PR was merged a while ago and I do encourage you to file a new issue as that might give you more traction. from the current editors and maintainers of the repo as I have been away from this standard for quite some time. To your original question, I think the PR description should have been more clear in the hindsight. I updated a bit for posterity. I totally agree that these sort of changes makes it a bit harder (but not impossible) for developers to setup localhost testing. The goal of these |
No, it does not remedy anything. It just disables autoplay (irritating behavior) & auto full screen (full screen scam popups). Which is a good thing for non-technical people.
There is no correlation between raw mouse events and man in the middle. If you have proof, even theoretical, I'd love to read it. Like I said earlier, even though you can't use browser-implemented hash functions, you can import a third party library at the cost of additional technical debt.
Disabling raw mouse events does not achieve that. If someone wants to disallow MITM, then they need to use encryption. However, one need not do MITM to perform an attack. They can use a domain that is very similar to the victim. So using HTTPS does not prevent such attacks, any limitations on unencrypted HTTP are pointless. |
Add secure context criteria to pointerrawupdate event
and getCoalescedEvents APIs to reduce its exposure
to possible attacks such as injecting scripts to http traffic.
closes #277
Preview | Diff